Orphaned User Accounts Run Wild in Enterprises

When an employee leaves your company, do you make sure you shut down his or her user accounts at once? And do you check to confirm this has been done?

If not, you’re evidently not alone, according to a new study conducted by eMediaUSA for Symark International that found that too often, the accounts of ex-employees, contractors and suppliers are often left open and accessible after they leave.

Orphaned accounts are a “huge, huge issue, because you’re facing security breaches, compliance breaches [and] identity fraud, and it can lead to both internal and external data breaches,” Sally Hudson, research director at IDC, told InternetNews.com.

Many enterprises don’t even know how exposed they may be to the threat. The survey found that 42 percent of the 867 security, IT, human resources and C-level executives polled didn’t know how many orphaned accounts even existed in their businesses.

About 27 percent of the respondents said that their organizations had more than 20 orphaned accounts, while 30 percent said they had no procedures in place to locate orphaned accounts.

The problem is created by “a lack in the effectiveness of processes for provisioning and deprovisioning access, identity and user accounts,” Scott Crawford, research director at Enterprise Management Associates, told InternetNews.com.

While “a lot of organizations” have invested in identity management and identity provisioning, “often, the deprovisioning of access can be neglected,” Crawford said.

In one enterprise, Crawford said, auditors found that 43 percent of its accounts should have been retired or had access privileges that were too broad.

The threat “is the most significant area of audit defects,” he added.

Despite the pervasiveness of the problem, solutions have been available for quite some time.

“All the large vendors — CA, IBM and so on — implement technology to identify and eliminate orphaned accounts in their provisioning systems,” Hudson said.

Such solutions aim to combat one of the major causes for orphaned accounts existing in a system: that they have to be created, managed and deleted manually, according to Bilhar Mann, a senior vice president for security management at CA.

CA’s Identity Manager, for example, automatically correlates administrator-defined user privileges, or entitlements, with available users, and orphaned accounts are then either reassigned by the managers or automatically deleted by the system.

“Once you implement a provisioning system, you won’t have orphaned accounts at all,” Mann told InternetNews.com. “We can suspend accounts when a user goes on leave for a few weeks, or we can automatically delete them when someone leaves the company.”

The requirement for manual management is also one of the reasons Unix and Linux native security accounts, defined to the operating system, often harbor orphaned accounts, according to Jeff Nielsen, Symark’s senior product manager.

Symark, which offers enterprises solutions to control and monitor their employees’ access to files and applications, recently unveiled its PowerAdvantage product for Linux and Unix systems to target the problem with automation.

PowerAdvantage integrates Linux and Unix systems into Microsoft Active Directory, where admins specify maximum allowed age of old accounts. As a result, administrators can “use one tool to create, manage and delete accounts,” Nielsen told InternetNews.com.

Once a system administrator has entered the expiration date for account access, users rights will automatically be rescinded when their time is up, he said.

PowerAdvantage also integrates with PowerBroker, Symark’s authorization and access control tool for Linux and Unix. The two authenticate to Active Directory and enable systems administrators to disable access to root accounts when the account holders leave the company.

News Around the Web